Loopholes in the flight to dance

Author: Hyun-cat [b.c.t]
Website: http://www.cnbct.org/&http://www.blackwoods.cn/
Original: Http://www.cnbct.org/xuan1.doc
Reprint, please pay attention to copyright, issued in the black X2005 Year 7

First, the preface.

It seems to be 2002 that the first flight at that time it launched a seemingly called Fei Cheng Post Office, providing 280M of space (at the time is very large), when learning SQL injection, has used it to practice, and now this station development is not small, so again it for the safety test it, Find loopholes flying in the sky, and very interesting, the entire site which column of the system are unique, There are. NET, PHP, and ASP, I really do not know how many people they are 1.1 points to develop, and they use what kind of server, strange ah ~ In fact, they can see the technical unprofessional. From the test results, the loopholes are very naïve, okay, pick up some of the more typical vulnerabilities that I've found. Give us one by one introduction (injection of the loophole will not say it, because the cat is too lazy to find injection point, we can find their own look, there are many, but the error tip is closed.) To be able to contain most common web site program vulnerabilities.

Second, the Web Site Program Vulnerability Introduction.

The habit of the Black cat first from the system function, this place out of the loopholes are generally more dangerous.

1, the recovery of password verification is not strictly caused by any user can modify the password vulnerability.

People in the rivers and lakes walk, inevitably forget the password, retrieve the password function of course is now involved in member management of the network program "standard", but the recovery of the password function is easy to see a big mistake is not strict, we look at:

Register a user named Blackcat, and then click on the home page of the "Forgotten password" button to retrieve the password, look at the process of the program, first enter the user name, and then fill out the answer to the question, and then is to modify the password (reader: Another use of nonsense to cheat royalties). We save this third step of the page, with UltraEdit Open look at the source code, read 118 lines, we see such a line of code <input name= "G_username" id= "G_username" type= "hidden" Value= "Blackcats"/> In order to take care of readers who do not understand HTML, I am talking about the meaning of this code, this is a hidden text field, the value is Blackcats, that is, we want to retrieve the username of the password, because the hidden field is not displayed on the page, So many programmers use it to pass parameters, but here's a very serious flaw in this approach, and for convenience, we register a user named "Blackwoods" with the password set to 123456. After the successful registration, we will modify the saved to the local Web page file, change the value= "Blackcats" to Value= "Blackwoods", and then change the action= "getpassword_2.aspx" of the 93rd line of the document to Action= " Http://www.fc****.com/reg/getpassword_2.aspx ", open this page, enter 654321 in the place where the new password is entered, and then submit it to show that the modification was successful, We use 123456 password login user Blackwoods will find that the password is wrong, and then use 654321 Landing, success, which is serious because of the strict verification caused by the arbitrary modification of user password loopholes.

Let's look at the vulnerabilities of the services it provides.

2, the network to remember the content of the cross-station loophole.

First look at the service, generally speaking of such a person like to write, n more people look at the east, we have to consider is XSS cross-station loophole, (do not underestimate the cross station, I think the radiation fish in this respect quite a lot of research, he often can put forward in addition to steal cookies more powerful use method, For example, use the administrator's form directly to do some operations, you can look at the previous magazine. In the following content, we try to use code to &LT;SC the Sun Pt>alert ("Hyun-cat, Hyun-cat, Hyun-cats to the college entrance exam") </sc the Sun pt> to test the page can run our JAVASC solar pt script.

We open a write on the page, first test content can write cross station script, said that the title casually write, content to write a &LT;SC Sun Pt>alert ("Hyun-cat, Hyun-cat, Black Cats to the college Entrance Examination") </sc the Sun Pt> and then go and see, not hard to see, The SC Sun PT we wrote was replaced with S C Solar pt, (Fig.)

The middle of a number of spaces, and then to change the size of the test, content to write &LT;SC Sun Pt>alert ("Hyun-cat, Hyun-cat to the college Entrance Examination") </sc the Sun Pt&gt, or not, it seems to be a flexible way, we find besides what can be output, right, title, But some friends will have questions, the title let write 10 words, not enough ah, we will save the file to the local, research FORM verification: 232 lines have a <form id=frmannounce name=frmannounce onsubmit= "return Checkform (); " Code, it is not difficult to see, this onsubmit trigger function is to check the title Word number of code, we delete onsubmit= "return Checkform ();", and then fill the action, the title of the <sc Sun Pt>alert (" Hyun-Cat, Hyun-cat to the college Entrance Examination "") </sc the Sun Pt&gt, content casually write something, submitted, in the subsequent refresh out of the page, elegant to pop up our dialog box, Cross station success. (Figure II)